The Book That Kept Me Company on My Last Trip

I usually start my mornings with a hot drink and a good book. During my long stay last month, one book in particular kept me company: Web Application Security by Andrew Hoffman.

Reading it brought back a sense of nostalgia. Back in college, I spent a lot of time with O'Reilly books. I remember working through Python Programming and Python for Data Analysis, filling notebooks with exercises and building small projects along the way. What I always appreciated about O'Reilly books was how practical they felt. They didn't just explain concepts—they encouraged me to get my hands dirty and actually build things.

Coding in the Age of AI

When I came across this book, I picked it up partly for that familiar feeling and partly because of something I've been thinking about a lot lately.

With the rise of AI tools and how heavily many of us now rely on them while coding, it's becoming easier than ever to build software quickly. But speed can sometimes come at the expense of awareness. AI can generate code in seconds, but it doesn't automatically guarantee that the code is secure. As developers, we still need to understand what we're building, question assumptions, and recognize potential vulnerabilities before they make their way into production.

That's what motivated me to read this book. I wanted to better understand where security risks can appear in modern web applications and what areas I should pay closer attention to in my own projects.

About the Book

Web Application Security focuses on how modern web applications are attacked and, more importantly, how those attacks can be prevented. Rather than treating security as an afterthought, the book encourages developers to think about it throughout the entire development process.

The author walks through common vulnerabilities such as SQL injection, cross-site scripting (XSS), broken authentication, insecure APIs, and access control issues. What I found especially useful was that each topic was explained from both perspectives: how an attacker might exploit it and how a developer can defend against it.

The book doesn't assume that security is only the responsibility of security engineers. Instead, it makes the case that every developer should understand the fundamentals, especially when building applications that handle user data.

A Few Takeaways I Found Useful

• Security should be considered throughout the development lifecycle, not added at the end.
• APIs should be treated as first-class attack surfaces and protected accordingly.
• Authorization is just as important as authentication.

Simple Practices to Help Protect Your Websites

• Dependency management is a security concern; third-party packages can introduce vulnerabilities into otherwise secure systems.
• Never assume client-side validation is sufficient; trust boundaries should always be enforced on the server.
• Use strong authentication and enable multi-factor authentication when possible.
• Apply the principle of least privilege for users and services.
• Regularly review permissions and access controls.
• Monitor logs and investigate unusual activity.
• Treat AI-generated code the same way you would code written by a teammate—review it carefully before deploying it.

Security is never something you completely finish. It's an ongoing process of learning, reviewing, and improving.

The Dog From the Cover

And finally, the funniest part of this entire reading experience: during my stay, I met a dog that looked exactly like the one on the book cover. After spending weeks reading the book over my morning coffee, it felt like the cover had somehow come to life :)